/** * if session is started, check if ownCloud key pair is set up, if not create it * @param \OC\Files\View $view * * @note The ownCloud key pair is used to allow public link sharing even if encryption is enabled */ public function __construct($view) { $this->view = $view; if (!$this->view->is_dir('files_encryption')) { $this->view->mkdir('files_encryption'); } $appConfig = \OC::$server->getAppConfig(); $publicShareKeyId = Helper::getPublicShareKeyId(); if ($publicShareKeyId === false) { $publicShareKeyId = 'pubShare_' . substr(md5(time()), 0, 8); $appConfig->setValue('files_encryption', 'publicShareKeyId', $publicShareKeyId); } if (!Keymanager::publicShareKeyExists($view)) { $keypair = Crypt::createKeypair(); // Save public key Keymanager::setPublicKey($keypair['publicKey'], $publicShareKeyId); // Encrypt private key empty passphrase $cipher = Helper::getCipher(); $encryptedKey = Crypt::symmetricEncryptFileContent($keypair['privateKey'], '', $cipher); if ($encryptedKey) { Keymanager::setPrivateSystemKey($encryptedKey, $publicShareKeyId); } else { \OCP\Util::writeLog('files_encryption', 'Could not create public share keys', \OCP\Util::ERROR); } } if (Helper::isPublicAccess() && !self::getPublicSharePrivateKey()) { // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; $encryptedKey = Keymanager::getPrivateSystemKey($publicShareKeyId); $privateKey = Crypt::decryptPrivateKey($encryptedKey, ''); self::setPublicSharePrivateKey($privateKey); \OC_FileProxy::$enabled = $proxyStatus; } }
/** * if session is started, check if ownCloud key pair is set up, if not create it * @param \OC\Files\View $view * * @note The ownCloud key pair is used to allow public link sharing even if encryption is enabled */ public function __construct($view) { $this->view = $view; if (!$this->view->is_dir('owncloud_private_key')) { $this->view->mkdir('owncloud_private_key'); } $appConfig = \OC::$server->getAppConfig(); $publicShareKeyId = $appConfig->getValue('files_encryption', 'publicShareKeyId'); if ($publicShareKeyId === null) { $publicShareKeyId = 'pubShare_' . substr(md5(time()), 0, 8); $appConfig->setValue('files_encryption', 'publicShareKeyId', $publicShareKeyId); } if (!$this->view->file_exists("/public-keys/" . $publicShareKeyId . ".public.key") || !$this->view->file_exists("/owncloud_private_key/" . $publicShareKeyId . ".private.key")) { $keypair = Crypt::createKeypair(); // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; // Save public key if (!$view->is_dir('/public-keys')) { $view->mkdir('/public-keys'); } $this->view->file_put_contents('/public-keys/' . $publicShareKeyId . '.public.key', $keypair['publicKey']); // Encrypt private key empty passphrase $cipher = \OCA\Encryption\Helper::getCipher(); $encryptedKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($keypair['privateKey'], '', $cipher); if ($encryptedKey) { Keymanager::setPrivateSystemKey($encryptedKey, $publicShareKeyId . '.private.key'); } else { \OCP\Util::writeLog('files_encryption', 'Could not create public share keys', \OCP\Util::ERROR); } \OC_FileProxy::$enabled = $proxyStatus; } if (\OCA\Encryption\Helper::isPublicAccess()) { // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; $encryptedKey = $this->view->file_get_contents('/owncloud_private_key/' . $publicShareKeyId . '.private.key'); $privateKey = Crypt::decryptPrivateKey($encryptedKey, ''); $this->setPublicSharePrivateKey($privateKey); $this->setInitialized(\OCA\Encryption\Session::INIT_SUCCESSFUL); \OC_FileProxy::$enabled = $proxyStatus; } }
/** * decrypt private key and add it to the current session * @param array $params with 'uid' and 'password' * @return mixed session or false */ public function initEncryption($params) { $session = new \OCA\Encryption\Session($this->view); // we tried to initialize the encryption app for this session $session->setInitialized(\OCA\Encryption\Session::INIT_EXECUTED); $encryptedKey = Keymanager::getPrivateKey($this->view, $params['uid']); $privateKey = Crypt::decryptPrivateKey($encryptedKey, $params['password']); if ($privateKey === false) { \OCP\Util::writeLog('Encryption library', 'Private key for user "' . $params['uid'] . '" is not valid! Maybe the user password was changed from outside if so please change it back to gain access', \OCP\Util::ERROR); return false; } $session->setPrivateKey($privateKey); $session->setInitialized(\OCA\Encryption\Session::INIT_SUCCESSFUL); return $session; }
/** * store multiple share keys for a single file * @param \OC\Files\View $view * @param \OCA\Files_Encryption\Util $util * @param string $path * @param array $shareKeys * @return bool */ public static function setShareKeys($view, $util, $path, array $shareKeys) { // in case of system wide mount points the keys are stored directly in the data directory $basePath = Keymanager::getKeyPath($view, $util, $path); self::keySetPreparation($view, $basePath); $result = true; foreach ($shareKeys as $userId => $shareKey) { if (!self::setKey($basePath, $userId . '.shareKey', $shareKey, $view)) { // If any of the keys are not set, flag false $result = false; } } // Returns false if any of the keys weren't set return $result; }
/** * @param $path * @param $size * @return bool */ public function postFileSize($path, $size) { $view = new \OC_FilesystemView('/'); // if path is a folder do nothing if ($view->is_dir($path)) { return $size; } // get relative path $relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path); // if path is empty we cannot resolve anything if (empty($relativePath)) { return $size; } $fileInfo = false; // get file info from database/cache if not .part file if (!Keymanager::isPartialFilePath($path)) { $fileInfo = $view->getFileInfo($path); } // if file is encrypted return real file size if (is_array($fileInfo) && $fileInfo['encrypted'] === true) { $size = $fileInfo['unencrypted_size']; } else { // self healing if file was removed from file cache if (!is_array($fileInfo)) { $fileInfo = array(); } $userId = \OCP\User::getUser(); $util = new Util($view, $userId); $fixSize = $util->getFileSize($path); if ($fixSize > 0) { $size = $fixSize; $fileInfo['encrypted'] = true; $fileInfo['unencrypted_size'] = $size; // put file info if not .part file if (!Keymanager::isPartialFilePath($relativePath)) { $view->putFileInfo($path, $fileInfo); } } } return $size; }
/** * enable recovery * * @param string $recoveryKeyId * @param string $recoveryPassword * @internal param \OCA\Encryption\Util $util * @internal param string $password * @return bool */ public static function adminEnableRecovery($recoveryKeyId, $recoveryPassword) { $view = new \OC\Files\View('/'); $appConfig = \OC::$server->getAppConfig(); if ($recoveryKeyId === null) { $recoveryKeyId = 'recovery_' . substr(md5(time()), 0, 8); $appConfig->setValue('files_encryption', 'recoveryKeyId', $recoveryKeyId); } if (!$view->is_dir('/owncloud_private_key')) { $view->mkdir('/owncloud_private_key'); } if (!$view->file_exists("/public-keys/" . $recoveryKeyId . ".public.key") || !$view->file_exists("/owncloud_private_key/" . $recoveryKeyId . ".private.key")) { $keypair = \OCA\Encryption\Crypt::createKeypair(); \OC_FileProxy::$enabled = false; // Save public key if (!$view->is_dir('/public-keys')) { $view->mkdir('/public-keys'); } $view->file_put_contents('/public-keys/' . $recoveryKeyId . '.public.key', $keypair['publicKey']); $cipher = \OCA\Encryption\Helper::getCipher(); $encryptedKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($keypair['privateKey'], $recoveryPassword, $cipher); if ($encryptedKey) { Keymanager::setPrivateSystemKey($encryptedKey, $recoveryKeyId . '.private.key'); // Set recoveryAdmin as enabled $appConfig->setValue('files_encryption', 'recoveryAdminEnabled', 1); $return = true; } \OC_FileProxy::$enabled = true; } else { // get recovery key and check the password $util = new \OCA\Encryption\Util(new \OC\Files\View('/'), \OCP\User::getUser()); $return = $util->checkRecoveryPassword($recoveryPassword); if ($return) { $appConfig->setValue('files_encryption', 'recoveryAdminEnabled', 1); } } return $return; }
/** * @brief When a file is deleted, remove its keyfile also */ public function preUnlink($path) { // let the trashbin handle this if (\OCP\App::isEnabled('files_trashbin')) { return true; } // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; $view = new \OC_FilesystemView('/'); $userId = \OCP\USER::getUser(); $util = new Util($view, $userId); // get relative path $relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path); list($owner, $ownerPath) = $util->getUidAndFilename($relativePath); // Delete keyfile & shareKey so it isn't orphaned if (!Keymanager::deleteFileKey($view, $ownerPath)) { \OCP\Util::writeLog('Encryption library', 'Keyfile or shareKey could not be deleted for file "' . $ownerPath . '"', \OCP\Util::ERROR); } Keymanager::delAllShareKeys($view, $owner, $ownerPath); \OC_FileProxy::$enabled = $proxyStatus; // If we don't return true then file delete will fail; better // to leave orphaned keyfiles than to disallow file deletion return true; }
/** * @return bool */ public function stream_close() { $this->flush(); // if there is no valid private key return false if ($this->privateKey === false) { // cleanup if ($this->meta['mode'] !== 'r' && $this->meta['mode'] !== 'rb' && !$this->isLocalTmpFile) { // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; if ($this->rootView->file_exists($this->rawPath) && $this->size === 0) { $this->rootView->unlink($this->rawPath); } // Re-enable proxy - our work is done \OC_FileProxy::$enabled = $proxyStatus; } // if private key is not valid redirect user to a error page \OCA\Encryption\Helper::redirectToErrorPage($this->session); } if ($this->meta['mode'] !== 'r' && $this->meta['mode'] !== 'rb' && $this->isLocalTmpFile === false && $this->size > 0 && $this->unencryptedSize > 0) { // only write keyfiles if it was a new file if ($this->newFile === true) { // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; // Fetch user's public key $this->publicKey = Keymanager::getPublicKey($this->rootView, $this->keyId); // Check if OC sharing api is enabled $sharingEnabled = \OCP\Share::isEnabled(); $util = new Util($this->rootView, $this->userId); // Get all users sharing the file includes current user $uniqueUserIds = $util->getSharingUsersArray($sharingEnabled, $this->relPath); $checkedUserIds = $util->filterShareReadyUsers($uniqueUserIds); // Fetch public keys for all sharing users $publicKeys = Keymanager::getPublicKeys($this->rootView, $checkedUserIds['ready']); // Encrypt enc key for all sharing users $this->encKeyfiles = Crypt::multiKeyEncrypt($this->plainKey, $publicKeys); // Save the new encrypted file key Keymanager::setFileKey($this->rootView, $util, $this->relPath, $this->encKeyfiles['data']); // Save the sharekeys Keymanager::setShareKeys($this->rootView, $util, $this->relPath, $this->encKeyfiles['keys']); // Re-enable proxy - our work is done \OC_FileProxy::$enabled = $proxyStatus; } // we need to update the file info for the real file, not for the // part file. $path = Helper::stripPartialFileExtension($this->rawPath); $fileInfo = array('encrypted' => true, 'size' => $this->size, 'unencrypted_size' => $this->unencryptedSize); // set fileinfo $this->rootView->putFileInfo($path, $fileInfo); } $result = fclose($this->handle); if ($result === false) { \OCP\Util::writeLog('Encryption library', 'Could not close stream, file could be corrupted', \OCP\Util::FATAL); } return $result; }
/** * enable recovery * * @param string $recoveryKeyId * @param string $recoveryPassword * @return bool */ public static function adminEnableRecovery($recoveryKeyId, $recoveryPassword) { $view = new \OC\Files\View('/'); $appConfig = \OC::$server->getAppConfig(); if ($recoveryKeyId === null) { $recoveryKeyId = 'recovery_' . substr(md5(time()), 0, 8); $appConfig->setValue('files_encryption', 'recoveryKeyId', $recoveryKeyId); } if (!Keymanager::recoveryKeyExists($view)) { $keypair = Crypt::createKeypair(); // Save public key Keymanager::setPublicKey($keypair['publicKey'], $recoveryKeyId); $cipher = Helper::getCipher(); $encryptedKey = Crypt::symmetricEncryptFileContent($keypair['privateKey'], $recoveryPassword, $cipher); if ($encryptedKey) { Keymanager::setPrivateSystemKey($encryptedKey, $recoveryKeyId); // Set recoveryAdmin as enabled $appConfig->setValue('files_encryption', 'recoveryAdminEnabled', 1); $return = true; } } else { // get recovery key and check the password $util = new Util(new \OC\Files\View('/'), \OCP\User::getUser()); $return = $util->checkRecoveryPassword($recoveryPassword); if ($return) { $appConfig->setValue('files_encryption', 'recoveryAdminEnabled', 1); } } return $return; }
/** * unmount file from yourself */ public static function postUnmount($params) { $path = $params[\OC\Files\Filesystem::signal_param_path]; $user = \OCP\User::getUser(); if (!isset(self::$unmountedFiles[$path])) { return true; } $umountedFile = self::$unmountedFiles[$path]; $keyPath = $umountedFile['keyPath']; $owner = $umountedFile['owner']; $ownerPath = $umountedFile['ownerPath']; $view = new \OC\Files\View(); // we don't need to remember the file any longer unset(self::$unmountedFiles[$path]); // check if the user still has access to the file, otherwise delete share key $sharingUsers = \OCP\Share::getUsersSharingFile($path, $user); if (!in_array($user, $sharingUsers['users'])) { Keymanager::delShareKey($view, array($user), $keyPath, $owner, $ownerPath); } }
/** * @return bool */ public function stream_close() { $this->flush(); // if there is no valid private key return false if ($this->privateKey === false) { // cleanup if ($this->meta['mode'] !== 'r' && $this->meta['mode'] !== 'rb') { // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; if ($this->rootView->file_exists($this->rawPath) && $this->size === 0) { $this->rootView->unlink($this->rawPath); } // Re-enable proxy - our work is done \OC_FileProxy::$enabled = $proxyStatus; } // if private key is not valid redirect user to a error page \OCA\Encryption\Helper::redirectToErrorPage(); } if ($this->meta['mode'] !== 'r' and $this->meta['mode'] !== 'rb' and $this->size > 0) { // Disable encryption proxy to prevent recursive calls $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; // Fetch user's public key $this->publicKey = Keymanager::getPublicKey($this->rootView, $this->userId); // Check if OC sharing api is enabled $sharingEnabled = \OCP\Share::isEnabled(); $util = new Util($this->rootView, $this->userId); // Get all users sharing the file includes current user $uniqueUserIds = $util->getSharingUsersArray($sharingEnabled, $this->relPath, $this->userId); // Fetch public keys for all sharing users $publicKeys = Keymanager::getPublicKeys($this->rootView, $uniqueUserIds); // Encrypt enc key for all sharing users $this->encKeyfiles = Crypt::multiKeyEncrypt($this->plainKey, $publicKeys); // Save the new encrypted file key Keymanager::setFileKey($this->rootView, $this->relPath, $this->userId, $this->encKeyfiles['data']); // Save the sharekeys Keymanager::setShareKeys($this->rootView, $this->relPath, $this->encKeyfiles['keys']); // get file info $fileInfo = $this->rootView->getFileInfo($this->rawPath); if (!is_array($fileInfo)) { $fileInfo = array(); } // Re-enable proxy - our work is done \OC_FileProxy::$enabled = $proxyStatus; // set encryption data $fileInfo['encrypted'] = true; $fileInfo['size'] = $this->size; $fileInfo['unencrypted_size'] = $this->unencryptedSize; // set fileinfo $this->rootView->putFileInfo($this->rawPath, $fileInfo); } return fclose($this->handle); }
/** * @brief decrypt given file with recovery key and encrypt it again to the owner and his new key * @param string $file * @param string $privateKey recovery key to decrypt the file */ private function recoverFile($file, $privateKey) { $sharingEnabled = \OCP\Share::isEnabled(); // Find out who, if anyone, is sharing the file if ($sharingEnabled) { $result = \OCP\Share::getUsersSharingFile($file, $this->userId, true); $userIds = $result['users']; $userIds[] = $this->recoveryKeyId; if ($result['public']) { $userIds[] = $this->publicShareKeyId; } } else { $userIds = array($this->userId, $this->recoveryKeyId); } $filteredUids = $this->filterShareReadyUsers($userIds); $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; //decrypt file key $encKeyfile = $this->view->file_get_contents($this->keyfilesPath . $file . ".key"); $shareKey = $this->view->file_get_contents($this->shareKeysPath . $file . "." . $this->recoveryKeyId . ".shareKey"); $plainKeyfile = Crypt::multiKeyDecrypt($encKeyfile, $shareKey, $privateKey); // encrypt file key again to all users, this time with the new public key for the recovered use $userPubKeys = Keymanager::getPublicKeys($this->view, $filteredUids['ready']); $multiEncKey = Crypt::multiKeyEncrypt($plainKeyfile, $userPubKeys); // write new keys to filesystem TDOO! $this->view->file_put_contents($this->keyfilesPath . $file . '.key', $multiEncKey['data']); foreach ($multiEncKey['keys'] as $userId => $shareKey) { $shareKeyPath = $this->shareKeysPath . $file . '.' . $userId . '.shareKey'; $this->view->file_put_contents($shareKeyPath, $shareKey); } // Return proxy to original status \OC_FileProxy::$enabled = $proxyStatus; }